Merge "Allow compos_fd_server to create artifacts"
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 18fa8bb..d15f9ba 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -13,3 +13,7 @@
allow system_data_file tmpfs:filesystem associate;
type authfs_fuse, fs_type, contextmount_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..258c8d7 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,19 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index c466292..4dfb304 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -16,6 +16,7 @@
diced_exec
extra_free_kbytes
extra_free_kbytes_exec
+ gesture_prop
hal_contexthub_service
hal_dice_service
hal_dumpstate_service
diff --git a/private/file.te b/private/file.te
index f3e1855..0eb2018 100644
--- a/private/file.te
+++ b/private/file.te
@@ -77,3 +77,7 @@
# /metadata/sepolicy
type sepolicy_metadata_file, file_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ea5f66f..895b579 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -196,6 +196,15 @@
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+
+# Apex sepoolicy files.
+/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
+/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
+/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
+/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
+/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
#############################
# System files
#
diff --git a/private/kernel.te b/private/kernel.te
index 5341163..6775b3b 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -31,3 +31,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/private/property_contexts b/private/property_contexts
index 1627014..861d69f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -70,6 +70,7 @@
persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.tap_gesture u:object_r:gesture_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
diff --git a/private/system_app.te b/private/system_app.te
index 6cf993a..ce76b69 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -42,6 +42,7 @@
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
+set_prop(system_app, gesture_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, usb_control_prop)
diff --git a/public/property.te b/public/property.te
index c33d8a6..3a8dcd5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -193,6 +193,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)